Abstract | The attack surface of a modern vehicle increases with its connectivity. A strategy to prevent attacks or at least to identify such attacks and to mitigate their effects is therefore imperative. The detection of indications for intrusive behavior in an in-vehicle network is an important aspect of a holistic security concept. The structure of the payload of in-vehicle messages with respect to the encoded sensor values is in general confidential. Therefore, most researchers consider the structure of the in-vehicle messages to be bit- or byte-fields. However, this may hide anomalies which are characterized by correlations between sensor values transferred by the in-vehicle messages. In this work, we evaluate the influence of accuracy of the model of the payload structure with respect to the actual sensor values on the results of different intrusion detection methods. In particular, we analyze if an improved alignment is helpful to detect anomalies introduced by stealthy intrusions. In order to cover conceptually different modeling and reasoning techniques, we adapted a deep learning approach as well as a characteristic functions based intrusion detection approach to utilize such message streams. An important aspect is that the explainability of the results is better compared to deep learning systems. We further developed a set of test vectors based on log files of a vehicle enriched by different intrusions. In particular, we included simulations of stealthy intrusions which mask certain sensor values within the respective messages. The effectiveness of the developed methods is demonstrated by various experiments. |
---|